Hacker News new | past | comments | ask | show | jobs | submit login
Launch HN: Spruce (YC W21) – OSS for User Owned and Provably Authentic Data
63 points by wyc 5 months ago | hide | past | favorite | 9 comments
Hello HN,

My name is Wayne Chang, co-founder of Spruce Systems, Inc. (https://spruceid.com). Spruce builds open source software that allows for the signed issuance of data to users that can then be verified. For example, transaction histories, educational qualifications, and reputation from online platforms.

I grew up on the Internet like many of you. I spent a lot of time on IRC where people frequently tried to dox others, and grew a profound respect for privacy as a result. When your online identity is a big part of who you are, it means a lot more when someone violates your privacy. Online identities will become a lot more of who everyone is, as we’ve seen especially over the past 12 hectic months. Today, we don’t have the right tools to assert control over our own identities or data, and we’re trying to change that with Spruce.

When you download your data from Google Takeout, you get a big .zip file that can’t really be used for anything but backups. The same is true with Facebook and LinkedIn. Most services don’t have automated data export and are only required to provide data when you ask.

Using new standards from W3C called Verifiable Credentials and Decentralized Identifiers, our software allows statements about people, places, and things to be issued as a package, linked together, digitally signed, and cryptographically verified. For example, employees can receive digital proofs of employment to get a mortgage. Gig economy workers can port their ratings from one system to another in a way they control. Data sets can travel along with signed statements that they have been stripped of personally identifiable information. By allowing data to move out of silos and increasingly into the hands of their owners, we can loosen the grip of a few large companies in owning everything.

These standards are already being adopted by big players open to data portability including Microsoft (issuance via Active Directory), Workday (portable work histories), the Digital Credentials Consortium (MIT/Harvard/UC Berkeley diplomas and coursework), and the World Health Organization (privacy-preserving vaccination records).

This technology could fundamentally change how we interact digitally. Instead of advertisers profiling people behind their backs, people can just present their credit card histories from Yodlee to get better offers at competitors. In web services, users can upgrade their accounts if they prove they belong to certain alumni networks. Businesses can reduce fraud and improve conversion while users regain control of their information, like if 1Password could store structured documents and also demonstrate their authenticity, untampered from their origins.

At Spruce, we’ve built a cross-platform Rust library called DIDKit that supports the use of Verifiable Credentials, Decentralized Identifiers, and many adjacent specifications in a neat bundle. Through customer feedback, we have grown the list of supported platforms to include Java, C/C++, and Node.js, with many more on the way. We further embed DIDKit into a Flutter application called Credible that runs on Android, iOS, and in the browser through WebAssembly/asm.js. It’s all open source under Apache 2.0. We make money by selling commercial tools, project roadmap commitments, and support contracts.

A great place to start is by building the DIDKit CLI tool and running the example credential issuance and verification shell script on your local GNU/Linux or MacOS machine (also works with Windows using WSL 2).



We invite you to leave feedback about our engineering approach, platforms you’d like to see supported, and interesting use cases that would benefit people if their data were more portable and provably authentic.

You can find our repos here:

DIDKit: https://github.com/spruceid/didkit

Credible: https://github.com/spruceid/credible

Docs: https://spruceid.dev/docs/

Love you're using WA and it's Apache2.0. I do get the sense of idea but felt it's not clear on it for whom it's targeted, business or consumer?

If it was for consumer and integrated with existing tool, I would love to try it. Had pain point where even big zip file would quite good amount of time to generate. Not sure if FB, google does that to introduce friction in the process.

On Dev front, why would companies like Google, Uber, Linkedin be willing to adopt this standard?

Today we work with engineering teams who have direct data interoperability and verifiability requirements, such as giving their users the ability to transfer their status on one platform to a partner's platform. Airlines and credit card companies already work together in this way, but these partnerships are currently expensive to setup and coordinate.

We found that the non-JavaScript tooling in the ecosystem was still nascent and wanted to do something about it friendlier to enterprise environments and security teams. We are using DIDKit as a base for adding this functionality to consumer-facing products, and hope others will find it convenient for this as well, so I look forward to giving updates on direct consumer use cases soon.

As per adoption by large tech/enterprises, we believe that as companies consolidate their data into warehouses, they will want (or need) to start sharing with partners, governments, and users in an auditable way. Some have compared Verifiable Credentials to the shipping container for verified data, and I don't think it's too off the mark.

We think these standards could also prove to be very straightforward ways to comply with data interoperability requirements imposed by laws like GDPR and CCPA. There will probably be more requirements in this direction if the US and EU decide to further regulate large tech companies.

My concern is that making it more technically feasible to export data this way means that more institutions will withhold access to services until you hand over your data now as a matter of process -- for example, American immigration authorities who've been in the news the last few years requesting (really, coercing) access to Facebook accounts.

The use case you mentioned involving gig workers is a bit scarier to me, to be honest. The lives of lower waged and gig workers are already beholden more to ratings than they probably should be. Should we make it easier for entire groups of companies to blacklist someone (for who knows how long) just because they had a bad experience with one?

Congratulations on the launch regardless

Thanks! I think your concerns are on point. To get the best outcomes that truly champion end users, I believe we need to look to policy solutions and not just the technology. With Spruce, we can ensure that technology is never the barrier to implementing more consentful digital interactions, but ultimately good governance has the potential for huge impact, and this should not be overlooked.

For example, I think the EFF analysis of COVID credentials for entry into public spaces is completely founded and brings up important points regarding equity and accessibility in a dystopian world where everyone is expected to wield digital credentials.


There are active discussions with considering the privacy and equality of access impacts, and we definitely welcome you to participate in them. E.g., https://github.com/w3c/did-core/issues/370

Congrats on launching. It's been great to see DIDs and VCs taking off from all the great work of the W3C working groups.

How will you monetize your product? I've long followed Evernym and Bloom who set out to tackle part of this problem, but both have seemed to struggle to gain traction and customers. Can you afford to build on this long enough until a market forms that allows for monetizing it?

Thanks for your support! The big question for all companies in the VC/DID ecosystem is of course timing. I think it's a fatal mistake to create products that require the coordination of multiple stakeholders from the outset, so we are avoiding these in the beginning. We are instead focusing on solving for use cases that are simpler to coordinate, such as a Shopify storefront offering discounts to influencers who prove they have over 10,000 Instagram followers on their public account.

As per monetization, we sell commercial tools that give the look and feel of SaaS management (uptime monitoring, data schema management, integrations with proprietary enterprise systems like ERPs) but allow customers to keep the workflows and sensitive data in their own clouds. It's still early for Spruce (we started full time around last fall), so we are still very hands-on with customers discovering and working through their pain points in implementing credentialing workflows.

Finally, I think technologies like DECO (https://www.deco.works/) are truly going to change the game of verifiable data exports en masse, but I don't expect a production worthy implementation for at least another year or two. They could drastically simplify implementations of user-centric data workflows by reducing the requirement of coordinating multiple stakeholders to just one or two.

Hey there, somewhat unrelated, I'm super interested in what you're working on with Kiva Protocol — do you have any way I could contact you? I really like what Kiva is doing and am very interested in the Kiva Protocol. Contact info in profile if you prefer to reach out that way.

Very cool to see SpruceID here. I wasn't aware that you were in the W21 Y Combinator batch — very neat! If you could send me an email at sebastian@cerebrum.com I'd love to talk, I'm quite interested in what you're working on. Thanks!

Love the work you're doing on Tezos!

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact